Breach risks 3.5M Texans' personal info

AUSTIN (KXAN) - More than three million Texans could be at risk for identity theft after their social Security numbers, birthdates and driver's license numbers were placed on a computer server available to the public.

State Comptroller Susan Combs on Monday acknowledged her office inadvertently made the information available.

"I deeply regret the exposure of the personal information that occurred and am angry that it happened," Combs said in a statement released by her office. "I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered and was then moved to a secure location."

"We take information security very seriously, and this type of exposure will not happen again," she added, saying letters will be sent this week to each Texan whose names were on the server.

The comptroller's office said the records included the names, Social Security numbers and mailing addresses of individuals. The information also included some of the individuals' birthdates and driver’s license numbers.

Still, the office said the numbers were embedded as part of a chain of numbers and not listed in separate fields.

The information found its way to the public server as it was being transferred to the comptroller's office by three other state agencies: the Texas Employees Retirement System of Texas, Teacher Retirement System of Texas and Texas Workforce Commission.

"Naturally we were very concerned we found out about this today and we are among those affected by this security lapse," said Lisa Givens, spokesperson for the Texas Workforce Commission.

Givens said two million Texans who filed for unemployment insurance from December 31, 2006 through December 31, 2009 could be at risk  for identity theft.

She said the agencies share information with the comptroller by law to determine addresses for people who may have unclaimed property in Texas.

Agency breakdown

• Texas Retirement System of Texas data transferred in January 2010 had records of 1.2 million education employees and retirees.
• Texas Workforce Commission data transferred in April 2010 had records of about 2 million people in their system.
• Employees Retirement System of Texas data transferred in May 2010 had records of approximately 281,000 state employees and retirees.

The data files transferred by those agencies were not encrypted, even though current rules require it.

Also, the comptroller’s office failed to follow internal procedures, which led to the information being placed on the public server and remaining accessible for some time without being purged.

The mishap was discovered March 31, which prompted the agency to seal off public access. The Attorney General's Office is helping with an internal investigation on how the breach was able to continue and remain undetected for several months. The Attorney General's office was notified on April 6, one week after the comptroller discovered the breach. FBI forensics detectives are assisting in the investigation.

A website is in place to provide more details and recommended steps and resources for protecting identity information.

A toll-free, 24-hour phone line will also be available beginning Tuesday at 855-474-2065.